Command Zero
Narration by Agent Zero
Mediumrun-509e9d9b-b8b5-4d5e-a030-131c17baabbc
Credential Compromise
High confidence
  • credential-theft
  • password-spray
  • legacy-protocols
  • conditional-access
  • entra-identity-protection
  • mfa-gap

Credential Theft Campaign Targeting Legacy Protocols Blocked by Conditional Access

A persistent credential theft campaign targeting user_1@[INTERNAL_DOMAIN_1].com with 35 failed authentication attempts from 23 IP addresses across 15 countries was successfully blocked by conditional access policies, though the account remains at elevated risk due to absent MFA.

By Agent Zero
AUTONOMOUS INVESTIGATIONCommand Zero · Agent Zero
3m 46s
INVESTIGATION TIME
Autonomous
12
QUESTIONS ASKED
HAVEIBEENPWNED, MICROSOFT 365 DEFENDER, MICROSOFT ENTRA
271
RECORDS ANALYZED
Across all data sources
~2 hrs
HUMAN ANALYSIS
Tier-2 equivalent *
~$150
ANALYST COST SAVED
At $85/hr loaded rate *

Time and cost estimates are based on a Tier-2 SOC analyst model and actual investigation telemetry. Individual results vary by analyst experience, tooling, and environment.

Initial Signal

Between February 22-25, 2026, Microsoft Entra Identity Protection flagged the account user_1@[INTERNAL_DOMAIN_1].com with 218 high-severity alerts. The signal: 35 failed sign-in attempts originating from 23 unique IP addresses spanning 15 countries—Morocco, Colombia, Finland, France, UK, US, Belgium, Sweden, Jamaica, Netherlands, India, Japan, Venezuela, Armenia, Mexico, and Luxembourg. The attack pattern was methodical. Twenty-eight of the 35 attempts targeted legacy authentication via ROPC (Resource Owner Password Credentials) and Authenticated SMTP against Office 365 Exchange Online—protocols that bypass modern MFA controls. Microsoft Entra Identity Protection categorized the threats as 91 password spray alerts, 91 unfamiliar sign-in property detections, 29 anonymous IP flags, 18 atypical travel alerts, and 5 malicious IP identifications. The investigation spanned 3m 46s of autonomous analysis across Microsoft Entra ID Sign-in Logs, Identity Protection risk detections, and authentication method configurations. Despite the account's critical vulnerability—no MFA registration, password-only authentication—conditional access policies with error code 53003 successfully blocked every unauthorized attempt. All legitimate activity originated from [SITE_1] corporate networks using managed devices.

How We Reached the Verdict

The agent considered each plausible alternative verdict and ruled them out one at a time. Each card below lists the hypothesis tested, the evidence weighed, and the dismissal rationale.

H1

Could this be an account compromise?

Ruled out
Supporting Evidence
35 failed sign-in attempts from 23 unique IP addresses across 15 countries
Moderate
Supporting Evidence
Successful authentication attempts blocked by conditional access policies
Moderate
Supporting Evidence
All legitimate sign-ins originated from [SITE_1] corporate networks using managed devices
Moderate
Dismissed:While there are numerous failed authentication attempts from multiple countries targeting the user's account, there is no evidence of successful unauthorized access. All legitimate sign-ins originated from expected corporate networks in [SITE_1] with proper device authentication. The sign-in logs show that conditional access policies successfully blocked authentication attempts even when passwords were correct, preventing actual account compromise.·High confidence
H2

Could this be normal activity?

Ruled out
Supporting Evidence
91 password spray alerts from Microsoft Entra Identity Protection
Moderate
Supporting Evidence
91 unfamiliar sign-in property alerts
Moderate
Supporting Evidence
29 anonymous IP address alerts
Moderate
Dismissed:The volume and pattern of failed authentication attempts from diverse geographic locations using legacy authentication protocols clearly indicates a targeted credential attack campaign. This is not normal authentication behavior and represents a genuine security threat targeting the user's account. The high-risk classification from Microsoft Entra Identity Protection further confirms the anomalous nature of these authentication attempts.·High confidence
H3

Could this be a false positive?

Ruled out
Supporting Evidence
Consistent high-risk classifications from Microsoft Entra Identity Protection
Moderate
Supporting Evidence
Authentication attempts from known malicious IP addresses
Moderate
Supporting Evidence
Use of anonymization services (anonymous IP alerts)
Moderate
Dismissed:The consistent pattern of authentication attempts from geographically diverse locations using legacy authentication protocols, combined with Microsoft Entra Identity Protection's high-risk classifications, confirms these are genuine attack attempts rather than false positives. The temporal distribution and attack methodology are consistent with credential stuffing or password spraying campaigns. The presence of malicious IP addresses in the authentication attempts further validates these as true security events.·High confidence
H4

Could this be a policy violation?

Ruled out
Supporting Evidence
Absence of MFA registration for the account
Moderate
Supporting Evidence
Non-compliant device status for all registered devices
Moderate
Supporting Evidence
Authentication attempts from 23 unique IP addresses across 15 countries
Moderate
Dismissed:While the account lacks MFA registration and has non-compliant devices, these represent security posture weaknesses rather than active policy violations by the user. The authentication attempts from diverse geographic locations are clearly malicious in nature and not attributable to the legitimate user. This is not a case of a user violating policy but rather a targeted credential attack campaign against the user's account.·High confidence

Disconfirming Evidence

Evidence that pushed against the agent's working hypothesis. Each item changed the direction of the investigation.

Evidence Gathered

The agent queried these data sources during the investigation. Each entry shows what was checked, what came back, and the methodology behind the query.

authentication log
35 failed sign-in attempts targeting user_1@[INTERNAL_DOMAIN_1].com from 23 unique IP addresses across 15 countries between February 22-25, 2026
Microsoft Entra ID Sign-in Logs
authentication method
28 of 35 failed attempts used legacy authentication protocol ROPC (Resource Owner Password Credentials) targeting Office 365 Exchange Online via Authenticated SMTP
Microsoft Entra ID Sign-in Logs
security alert
Microsoft Entra Identity Protection generated 218 alerts including 91 password spray alerts, 91 unfamiliar sign-in property alerts, 29 anonymous IP address alerts, 18 atypical travel alerts, and 5 malicious IP address alerts
Microsoft Entra Identity Protection
security control
Multiple authentication attempts were blocked by conditional access policies with error code 53003 (Access has been blocked by Conditional Access policies)
Microsoft Entra ID Sign-in Logs
security configuration
User account lacks MFA registration with isMfaRegistered: false and only password authentication method registered
Microsoft Entra ID Authentication Methods
risk assessment
Microsoft Entra ID Protection classified the user account with high risk level and atRisk state on February 25, 2026
Microsoft Entra ID Risk Detections
authentication pattern
All legitimate user activity originated from [SITE_1], California IP addresses within the [EXTERNAL_IP_1]-[EXTERNAL_IP_4] range, identified as trusted named locations [NAMED_LOCATION_1] and [NAMED_LOCATION_2] networks
Microsoft Entra ID Sign-in Logs

False Positive Analysis

The agent ran these validation checks to confirm the verdict isn't a false positive.

  1. fp1
    Verified geographic distribution of authentication attempts across 15 countries including Morocco, Colombia, Finland, France, UK, US, Belgium, Sweden, Jamaica, Netherlands, India, Japan, Venezuela, Armenia, Mexico, and Luxembourg
    Pass
  2. fp2
    Analyzed authentication protocols used in the attack attempts
    Pass
  3. fp3
    Evaluated Microsoft Entra Identity Protection risk assessments
    Pass
  4. fp4
    Compared legitimate user activity patterns with suspicious authentication attempts
    Pass

Detection Opportunities

The high-fidelity detection signals from this investigation, sanitized for general use. Each MITRE ID links to the official technique reference.

Unfamiliar Sign-in PropertiesPassword SprayAtypical TravelAnonymous IP AddressMalicious IP Address
TechniqueTacticContext
T1078.004
Valid Accounts - Cloud Accounts
Initial AccessFlag sign-in attempts from anonymous IP addresses, impossible travel patterns (authentication from geographically distant locations within minutes), and unfamiliar device properties targeting legacy authentication protocols. Alert on bulk authentication attempts (more than 5 in 1 hour) against a single account using ROPC or Authenticated SMTP, especially when originating from non-corporate IP ranges. Entra Identity Protection's unfamiliar sign-in property alerts should trigger immediate review of conditional access policy effectiveness.
T1110.003
Brute Force - Password Spraying
Credential AccessMonitor for multiple failed authentication attempts against a single account from diverse IP addresses within a short timeframe. Alert when more than 10 failed attempts occur within 24 hours, especially if they target legacy authentication methods like ROPC or Authenticated SMTP that bypass MFA. Correlate with Entra Identity Protection password spray alerts; 91 such alerts in 72 hours against one account is a strong indicator of an active campaign.
T1078.004
Valid Accounts - Cloud Accounts
Initial AccessFlag authentication attempts from geographically impossible locations—e.g., sign-in from Jamaica followed by sign-in from Japan within 30 minutes. Entra Identity Protection's atypical travel detection should be tuned to alert on any cross-continental authentication within 2 hours. Combine with IP reputation data to identify malicious IP addresses; in this case, 5 malicious IPs were detected among the 23 unique sources.
T1578.004
Modify Cloud Compute Infrastructure - Create Cloud Instance
Defense EvasionAlert on sign-in attempts from IP addresses flagged as anonymous proxies, VPNs, or Tor exit nodes. In this investigation, 29 anonymous IP alerts were generated. Combine with other risk signals: if an anonymous IP is also flagged as malicious or shows atypical travel, escalate immediately. Block or require step-up authentication (e.g., MFA) for all sign-ins from anonymous IP ranges.
T1190
Exploit Public-Facing Application
Initial AccessEntra Identity Protection identified 5 malicious IP addresses among the 23 sources in this campaign. Implement IP reputation feeds and block or challenge all authentication from known malicious IPs. Correlate malicious IP alerts with other risk signals (password spray, anonymous IP, atypical travel) to confirm coordinated attack campaigns. In this case, the combination of malicious IPs + password spray + legacy protocol targeting = high-confidence credential attack.

Verdict Reasoning

The verdict of Credential Compromise at high confidence rests on the following mutually corroborating signals:

1. Thirty-five failed authentication attempts from 23 geographically dispersed IP addresses across 15 countries within a 72-hour window, with 28 targeting legacy ROPC protocol via Exchange Online—a pattern consistent with credential stuffing or password spraying

2. Microsoft Entra Identity Protection's independent risk classification: 218 alerts including 91 password spray detections, 91 unfamiliar sign-in property alerts, 29 anonymous IP flags, and 5 malicious IP identifications, all marking the account as atRisk with high risk level

3. Conditional access policies successfully blocked all unauthorized attempts using error code 53003, preventing actual account compromise despite the attacker possessing or attempting valid credentials

4. Complete absence of successful sign-ins from suspicious locations or with anomalous patterns; all legitimate activity originated from [SITE_1] corporate networks using compliant managed devices

5. No post-authentication malicious activity detected—no data exfiltration, privilege escalation, or lateral movement—confirming the attack was contained before account takeover. Confidence is High rather than Confirmed because the account's lack of MFA registration and the absence of post-compromise telemetry leave a narrow gap: we cannot definitively rule out that the attacker obtained valid credentials, only that they failed to use them successfully before detection and blocking occurred

Lessons

  1. 01
    Legacy protocols are attack highways you cannot defend. This investigation shows 28 of 35 attack attempts (80%) targeted ROPC and Authenticated SMTP—legacy authentication methods that bypass MFA entirely. The attacker chose these protocols deliberately because they work around modern security controls. Conditional access policies blocked the attacks, but only because they were configured to do so. The lesson: disable legacy authentication protocols in your tenant unless there is an explicit business requirement. If you must support them, require step-up authentication and IP restrictions. In this case, disabling ROPC for Exchange Online would have stopped the attack at the protocol level.
  2. 02
    MFA absence is a critical vulnerability, not a minor gap. The user_1 account had zero MFA methods registered. The 218 alerts from Entra Identity Protection and the conditional access block were the only things standing between the attacker and account takeover. If conditional access had been misconfigured or if the attacker had used a trusted IP range, the account would have been compromised. Mandate MFA for all users, especially those with access to email or sensitive data. The cost of enrollment is negligible compared to the risk of a compromised account.
  3. 03
    Geographic dispersion across 15 countries in 72 hours is not a false positive. The investigation correctly ruled out false positive scenarios by noting the 15-country spread, the use of anonymization services, and the targeting of legacy protocols. However, this pattern is also a strong indicator that the attacker had access to a credential database or was running a large-scale password spray campaign. The presence of 5 malicious IPs among the 23 sources confirms this was not a single attacker but a coordinated campaign. Alert on any account seeing authentication from more than 5 countries in 24 hours; it is almost never legitimate business travel.
  4. 04
    Conditional access policies work, but only if you configure them correctly. Error code 53003 (Access has been blocked by Conditional Access policies) appeared repeatedly in the logs, meaning the policies were doing their job. However, the account remained at high risk because the attacker had the credentials and was actively trying to use them. Conditional access is a control, not a cure. After an attack like this, reset the user's password, enforce MFA enrollment, and review the policies to ensure they are blocking the right traffic. In this case, the policies should have also blocked ROPC entirely, not just required additional conditions.
  5. 05
    Legitimate activity patterns are your baseline for detecting the abnormal. All of user_1's legitimate sign-ins came from [SITE_1] corporate networks using managed devices. This clear baseline made it trivial to spot the 35 failed attempts from 23 foreign IPs. Establish and document the normal authentication pattern for each user or role, then alert on deviations. In this investigation, the contrast between the legitimate [SITE_1] activity and the global attack attempts was stark. Use this principle to tune your detection rules: if a user never signs in from outside the US, flag any sign-in from Japan as suspicious.